Examining Indistinguishability-Based Proof Models for Key Establishment Protocols
Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, QLD 4001, Australia {k.choo, c.boyd, y.hitchcock}@qut.edu.au

Abstract. We examine various indistinguishability-based proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, identify several subtle differences between these variants and models, and compare the relative strengths of the notions of security between the models. For each of the pair of relations between the models (either an implication or a non-implication), we provide proofs or counter-examples to support the observed relations. We also reveal a drawback with the original formulation of the Bellare, Pointcheval, & Rogaway (2000) model, whereby the Corrupt query is not allowed.

1

Introduction

Key establishment protocols are used for distributing shared keying material in a secure manner. However, despite their importance, the difficulties of obtaining a high level of assurance in the security of almost any new, or even existing, protocol are well illustrated with examples of errors found in many such protocols years after they were published. The treatment of computational complexity analysis adopts a deductive reasoning process whereby the emphasis is placed on a proven reduction from the problem of breaking the protocol to another problem believed to be hard. Such an approach for key establishment protocols was made popular by Bellare & Rogaway [6] who provide the first formal definition for a model of adversary capabilities with an associated definition of security (which we refer to as the BR93 model in this paper). Since then, many research efforts have been oriented towards this end which have resulted in numerous protocols with accompanying computational proofs of security proposed in the literature. The BR93 model has been further revised several times. In 1995, Bellare and Rogaway analysed a three-party server-based key distribution (3PKD) protocol [7] using an extension to the BR93 model, which we refer to as the BR95 model. A more recent revision to the model was proposed in 2000 by Bellare,


This work was partially funded by the Australian Research Council Discovery Project Grant DP0345775. The full version of this paper appears in [14].

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 585–604, 2005. c International Association for Cryptologic Research 2005


586

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

Pointcheval and Rogaway [5], hereafter referred to as the BPR2000 model. Collectively, the BR93, BR95, and BPR2000 models will be referred to as the Bellare–Rogaway models. In independent yet related work, Bellare, Canetti, & Krawczyk [4] built on the BR93 model and introduced a modular proof model. However, some drawbacks with this formulation were discovered and this modular proof model was subsequently modified by Canetti & Krawczyk [12], and will be referred to as the CK2001 model in this paper. Proof Models. There are several important differences between the BR93, BR95, BPR2000, and CK2001 models (which have a significant impact on the security of the models), as follows: 1. 2. 3. 4.

the the the the

way partner oracles are defined (i.e., the definition of partnership), powers of the probabilistic, polynomial-time (PPT) adversary, modular approach adopted in the CK2001 model, and provable security goals provided by the models.

DIFFERENCE 1: Security in the models depends on the notions of partnership of oracles and indistinguishability of session keys. The BR93 model defines partnership using the notion of matching conversations, where a conversation is a sequence of messages exchanged between some instances of communicating oracles in a protocol run. Partnership in the BR95 model is defined using the notion of a partner function, which uses the transcript (the record of all Send oracle queries) to determine the partner of an oracle by providing a mapping between two oracles that should share a secret key on completion of the protocol execution. However, such a partner definition can easily go wrong. One such example is the partner function described in the original BR95 paper for the 3PKD protocol [7], which was later found to be flawed [15]. The BPR2000 model and the CK2001 model define partnership using the notion of session identifiers (SIDs). Although in the BPR2000 model, the construction of SIDs is suggested to be the concatenation of messages exchanged during the protocol run, protocol designers can construct SIDs differently. There is no formal definition of how SIDs should be defined in the CK2001 model. Instead, SIDs are defined to be some unique values agreed upon by two communicating parties prior to the protocol execution. We observe that the way SIDs are constructed can have an impact on the security of the protocol in the model. DIFFERENCE 2: The CK2001 model enjoys the strongest adversarial power (compared to the Bellare–Rogaway models) as the adversary is allowed to ask the Session-State Reveal query that will return all the internal state (including any ephemeral parameters but not long-term secret parameters) of the target session to the adversary. In contrast, most models only allow the adversary to reveal session keys for uncorrupted parties. In the original BR93 and BPR2000 models, the Corrupt query (that allows the adversary to corrupt any principal at will, and thereby learn the complete internal state of the corrupted principal) is not allowed.

Examining Indistinguishability-Based Proof Models

587

In this paper, we consider the BR93 model which allows the adversary access to a Corrupt query because later proofs of security in the BR93 model [2,8,9,13,16,17,19] allow the Corrupt query. However, we consider the original BPR2000 model without Corrupt query because the basic notion of BPR2000 freshness restricts the adversary, A, from corrupting anyone in the model (i.e., effectively restricting A from asking any Corrupt query). However, we show that the omission of such a (Corrupt) query in the BPR2000 model allows an insecure protocol to be proven secure in the model. DIFFERENCE 3: A major advantage of the CK2001 model is its modular approach whereby protocols may be proven secure in an ideal world (AM) model in which the passive adversary is prevented from fabricating messages coming from uncorrupted principals, and translating such a protocol proven secure in the AM into one that is secure in the more realistic real world model (the UM). As Boyd, Mao, & Paterson [10] have pointed out, the CK2001 modular approach facilitates an engineering approach to protocol design, where protocol components may be combined by “mix and match” to tailor to the application at hand (analogous to a Java API library). DIFFERENCE 4: Both the BR93 and BPR2000 models provide provable security for entity authentication & key distribution, whilst the BR95 model provides provable security for only the key distribution. Intuitively, protocols that provide both entity authentication and key distribution are “stronger” than protocols that provide only key distribution. In this paper, we refer to the BR93 and BPR2000 models that provide provable security for only key distribution as BR93 (KE) and BPR2000 (KE) respectively, and the BR93 and BPR2000 models that provide provable security for both entity authentication & key distribution as BR93 (EA+KE) and BPR2000 (EA+KE) respectively. Motivations. We are motivated by the observations that no formal study has been devoted to the comparisons of relations and relative strengths of security between the Bellare–Rogaway and the Canetti–Krawczyk models. Although Shoup [18] provides a brief discussion on the Bellare–Rogaway models and the Canetti–Krawczyk model, his discussion is restricted to an informal comparison between the Bellare–Rogaway model and his model, and between the Canetti– Krawczyk model and his model. To the best of our knowledge, no distinction has ever been made between the Bellare–Rogaway proof model and its variants shown in Table 1. Table 1. The Bellare–Rogaway proof model and its variants Bellare–Rogaway [5,6,7] ↓  BR95 BPR2000

 BR93 (KE) BR93 (EA+KE) BPR2000 (KE) BPR2000 (EA+KE)
BR93

588

K.-K.R. Choo, C. Boyd, and Y. Hitchcock 3.5⊥ BR93 (KE) 4,3.4

([14])

[14]

3.1.1

CK2001

4,3.4

3.2


[14]

[14] ([14]) 3.6

BPR2000 (KE)

BR95 4


holds if SIDs are constructed in the same manner in both models. ⊥ holds if SIDs are not defined to be the concatenation of messages exchanged during the protocol run.

Fig. 1. Notions of security between the Bellare–Rogaway and Canetti–Krawczyk key establishment proof models

CK2001 [14]∇

3.1 ([14])

BR93 (EA+KE)

BPR2000 (EA+KE) 4

BR93 (KE) ∇ holds if SIDs are defined to be the concatenation of messages exchanged during the protocol run.

Fig. 2. Additional comparisons

Contributions. We regard the main contributions of this paper to be of threefold significance: 1. contributing towards a better understanding of the different flavours of proof models for key establishment protocols by working out the relations between the Bellare–Rogaway proof model (and its variants) and the Canetti– Krawczyk proof model, 2. demonstrating that the Bellare–Rogaway (and its variants) and the Canetti– Krawczyk proof models have varying security strength by providing a comparison of the relative strengths of the notions of security between them, and 3. identifying a drawback in the BPR2000 model (not identified in any previous studies) which allows an insecure protocol to be proven secure in the BPR2000 model, as presented in Section 4. This work may ease the understanding of future security protocol proofs (protocols proven secure in one model maybe automatically secure in another model),

Examining Indistinguishability-Based Proof Models

589

and protocol designers can make an informed decision when choosing an appropriate model in which to prove their protocols secure. Our main results are summarized in Figures 1 and 2. We observe that if SIDs in the CK2001 model are defined to be the concatenation of messages exchanged during the protocol run, then the implication CK2001 → BR93 holds, and the CK2001 model offers the strongest definition of security compared to the BR93 model. The notation x → y denotes that protocols proven secure in model x will also be secure in model y (i.e., implication relation where x implies y), x
y denotes that protocols proven secure in model x do not necessarily satisfy the definition of security in model y. The number on the arrows represent the section in which the proof is provided, and the numbers in brackets on the arrows represent the sections in which the implication relation is proven. Organization. Section 2 provides an informal overview of the Bellare-Rogaway and Canetti–Krawczyk models. Section 3 provides the proofs of the implication relations and counter-examples the for non-implication relations shown in Figures 1 and 2. In these counter-examples, we demonstrate that these protocols though secure in the existing proof model (in which they are proven secure) are insecure in another “stronger” proof model. Due to space constraints, some of the proofs and counter-examples appear in the full version [14]. Section 4 presents the drawback in the original formulation of the BPR2000 model by using a three-party password-based key exchange protocol (3PAKE) due to Abdalla & Pointcheval [1] as a case study. Section 5 presents the conclusions.

2

The Proof Models

In this section, an overview of the Bellare-Rogaway [5,6,7] and Canetti–Krawczyk models [4,12] is provided primarily for demonstrating the gaps in the relations and the relative strengths of security between the variants of the Bellare– Rogaway and the Canetti–Krawczyk models. Adversarial Powers. In the Bellare-Rogaway and Canetti–Krawczyk models, the adversary A is defined to be a probabilistic machine that is in control of all communications between parties via the predefined oracle queries described below: Send: This query computes a response according to the protocol specification and decision on whether to accept or reject yet, and returns them to A. Session-Key Reveal(U1 , U2 , i): Oracle ΠUi 1 ,U2 , upon receiving a Session-Key Reveal query, and if it has accepted and holds some session key, will send this session key back to A. This query is known as a Reveal(U1 , U2 , i) query in the Bellare–Rogaway models. Session-State Reveal: Oracle ΠUi 1 ,U2 , upon receiving a Session-State Reveal (U1 , U2 , i) query and if it has neither accepted nor held some session key, will return all its internal state (including any ephemeral parameters but not long-term secret parameters) to A.

590

K.-K.R. Choo, C. Boyd, and Y. Hitchcock Table 2. Summary of adversarial powers Oracle Queries Send Session-Key Reveal Session-State Reveal Corrupt Test

BR93 Yes Yes No Yes Yes

BR95 BPR2000 CK2001 Yes Yes Yes Yes Yes Yes No No Yes Yes No Yes Yes Yes Yes

Corrupt: The Corrupt(U1 ) query allows A to corrupt the principal U1 at will, and thereby learn the complete internal state of the corrupted principal. Test: The Test(U1 , U2 , i) query is the only oracle query that does not correspond to any of A’s abilities. If ΠUi 1 ,U2 has accepted with some session key and is being asked a Test(U1 , U2 , i) query, then depending on a randomly chosen bit b, A is given either the actual session key or a session key drawn randomly from the session key distribution. Table 2 provides a comparison of the types of queries allowed for the adversary between the various BR93, BR95, BPR2000, and CK2001 models. Definition of Freshness. The notion of freshness of the oracle to whom the Test query is sent remains the same for the Bellare–Rogaway and Canetti– Krawczyk models. Freshness is used to identify the session keys about which A ought not to know anything because A has not revealed any oracles that have accepted the key and has not corrupted any principals knowing the key. Definition 1 describes freshness, which depends on the respective partnership definitions. i is fresh (or holds a Definition 1 (Definition of Freshness). Oracle ΠA,B i fresh session key) at the end of execution, if, and only if, (1) ΠA,B has accepted j j i with or without a partner oracle ΠB,A , (2) both ΠA,B and ΠB,A oracles have not been sent a Reveal query (or Session-State Reveal in the CK2001 model), and (3) A and B have not been sent a Corrupt query.

The basic notion of freshness (i.e., does not incorporate the notion of forward secrecy) in the BPR2000 model requires that no one (including A and B in requirement 3 of Definition 1) in the model has been sent a Corrupt query. This effectively restricts A from asking any Corrupt query in the (BPR2000) model. Definition of Security. Security in the Bellare–Rogaway and the Canetti– Krawczyk models is defined using the game G, played between a malicious adversary A and a collection of ΠUi x ,Uy oracles for players Ux , Uy ∈ {U1 , . . . , UNp } and instances i ∈ {1, . . . , Ns }. The adversary A runs the game G, whose setting is explained in Table 3. Success of A in G is quantified in terms of A’s advantage in distinguishing whether A receives the real key or a random value. A wins if, after asking a Test(U1 , U2 , i) query, where ΠUi 1 ,U2 is fresh and has accepted, A’s guess bit b

Examining Indistinguishability-Based Proof Models

591

Table 3. Setting of game G Stage 1: A is able to send any oracle queries at will. Stage 2: At some point during G, A will choose a fresh session on which to be tested and send a Test query to the fresh oracle associated with the test session. Depending on the randomly chosen bit b, A is given either the actual session key or a session key drawn randomly from the session key distribution. Stage 3: A continues making any oracle queries at will but cannot make Corrupt and/or Session-Key Reveal and/or Session-State Reveal queries (depending on the individual proof model) that trivially expose the test session key. Stage 4: Eventually, A terminates the game simulation and outputs a bit b , which is its guess of the value of b.

equals the bit b selected during the Test(U1 , U2 , i) query. Let the advantage function of A be denoted by AdvA (k), where AdvA (k) = 2 × Pr[b = b ] − 1. 2.1

The Bellare-Rogaway Models

2.1.1 The BR93 Model Partnership is defined using the notion of matching conversations, where a conversation is defined to be the sequence of messages sent and received by an oracle. The sequence of messages exchanged (i.e., only the Send oracle queries) are recorded in the transcript, T . At the end of a protocol run, T will contain the record of the Send queries and the responses. Definition 2 describes security for the BR93 model. Definition 2 (BR93 Security). A protocol is secure in the BR93 model if j i for all PPT adversaries A, (1) if uncorrupted oracles ΠA,B and ΠB,A complete with matching conversations, then the probability that there exist i, j such that j i accepted and there is no ΠB,A that had engaged in a matching session is ΠA,B negligible, and (2) AdvA (k) is negligible. If both requirements are satisfied, then j i and ΠB,A will also have the same session key. ΠA,B Requirement 1 of Definition 2 implies entity authentication, whereby entity authentication is said to be violated if some fresh oracle terminates with no partner. 2.1.2 The BR95 Model Partnership in the BR95 model is defined using the notion of a partner function, which uses the transcript (the record of all Send oracle queries) to determine the partner of an oracle. However, no explicit definition of partnership was provided in the original paper since there is no single partner function fixed for any protocol. Instead, security is defined predicated on the existence of a suitable partner function. Definition 3 describes security for the BR95 model. Definition 3 (BR95 Security). A protocol is secure in the BR95 model if both the following requirements are satisfied (1) when the protocol is run between

592

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

j i i two oracles ΠA,B and ΠB,A in the absence of a malicious adversary, both ΠA,B j and ΠB,A accept and hold the same session key, (2) for all PPT adversaries A, AdvA (k) is negligible.

2.1.3 The BPR2000 Model Partnership in the BPR2000 model is defined based on the notion of session identifiers (SIDs) where SIDs are suggested to be the concatenation of messages exchanged during the protocol run. In this model, an oracle who has accepted will hold the associated session key, a SID and a partner identifier (PID). Definition 4 describes partnership in the BPR2000 model. j i and ΠB,A , are Definition 4 (BPR2000 Partnership). Two oracles, ΠA,B partners if, and only if, both oracles have accepted the same session key with the same SID, have agreed on the same set of principals (i.e. the initiator and the j i and ΠB,A have responder of the protocol), and no other oracles besides ΠA,B accepted with the same SID.

In the BPR2000 model, security is described in Definition 5. The notion of security for entity authentication is said to be violated if some fresh oracle terminates with no partner. Definition 5 (BPR2000 Security). A protocol is secure in the BPR2000 model under the notion of – key establishment if for all PPT adversaries A, AdvA (k) is negligible. – mutual authentication if for all PPT adversaries A, the advantage that A has in violating entity authentication is negligible. 2.2

The Canetti-Krawczyk Model

In the CK2001 model, there are two adversarial models, namely the unathenticated-links adversarial / real world model (UM) and the authenticatedlinks adversarial / ideal world model (AM). Let AUM denote the (active) adversary in the UM, and AAM denote the (passive) adversary in the AM. The difference between AAM and AUM lies in their powers, namely AAM is restricted to only delay, delete, and relay messages but not to fabricate any messages or send a message more than once. Prior to explaining how a provably secure protocol in the AM is translated to a provably secure protocol in the UM with the use of an authenticator, we require definitions of an emulator and an authenticator, as given in Definitions 6 and 7. Definition 6 (Definition of an Emulator [4]). Let π and π  be two protocols for n parties where π is a protocol in the AM and π  is a protocol in the U M . π  is said to emulate π if for any U M -adversary AUM there exists an AM -adversary AAM , such that for all inputs, no polyomial time adversary can distinguish the cumulative outputs of all parties and the adversary between the AM and the U M with more than negligible probability.

Examining Indistinguishability-Based Proof Models

593

Definition 7 (Definition of an Authenticator [12]). An authenticator is defined to be a mapping transforming a protocol πAM in the AM to a protocol πUM in the UM such that πUM emulates πAM . In other words, the security proof of the UM protocol in the CK2001 depends on the security proofs of the MT-authenticator used and that of the AM protocol. If any of these proofs break down, then the proof of the UM protocol is invalid. Definitions 8 and 9 describe partnership and security for the CK2001 model. Definition 8 (Matching Sessions). Two sessions are said to be matching if they have the same session identifiers (SIDs) and corresponding partner identifiers (PIDs). Definition 9 (CK2001 Security). A protocol is secure in the CK2001 model j i and ΠB,A if for all PPT adversaries A, (1) if two uncorrupted oracles ΠA,B j i complete matching sessions, then both ΠA,B and ΠB,A must hold the same sesA sion key, and (2) Adv (k) is negligible.

3

Relating the Notions of Security

In our proofs for each of the implication relations shown in Figure 1, we construct a primary adversary, PA, against the key establishment protocol in PA’s model using a secondary adversary SA against the same key establishment protocol in SA’s model. PA simulates the view of SA by asking all queries of SA to the respective Send, Session-Key Reveal, Session-State Reveal, Corrupt, and Test oracles (to which PA has access), and forwards the answers received from the oracles to SA. The specification of the simulation is given in Figure 3. Note that Shoup [18–Remark 26] pointed out that an adversary A in the Bellare– Rogaway model wins the game if A is able to make two partner oracles accept different session keys without making any Reveal and Test queries. His findings are applicable to only the BR93 and CK2001 models where the definitions of security requires two partner oracles to accept with the same session key, as described in Definitions 2 and 9 respectively. However, this is not the case for the BR95 and BPR2000 models. The notation in this section is as follows: {·}KUencU denotes the encryption 1 2 of some message under the encryption key KUenc , the notation [·]KUM AC denotes 1 U2 U 1

2

the computation of MAC digest of some message under the MAC key KUMAC , 1 U2 and SigdU (·) denotes the signature of some message under the signature key dU , H denote some secure hash function, || denote concatentation of messages, and pwd denote some secret password shared between two users. 3.1

Proving Implication Relation: BR93 (EA+KE) → BPR2000 (EA+KE)

Recall that the Corrupt query is not allowed in the BPR2000 model but is allowed in the BR93 model as shown in Table 2. Intuitively, the model with a greater

594

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

Queries Actions Send PA is able to answer this query pertaining to any instance of a server or player by asking its Send oracle. Session- PA is restricted from asking a Session-Key Reveal query to the target test oracle Key or its partner in its own game. Similarly, SA faces the same restrictionR . Hence, PA is able to answer this query by asking its Reveal oracle and is able to simulate Reveal the Session-Key Reveal query perfectly. Corrupt SA is disallowed from asking a Corrupt query to the principal of the target test session or whom the target test session thinks it is communicating with in its own game. Similarly, the PA faces the same restriction. Hence, PA is able to answer this query by asking its Corrupt oracle and simulates the Corrupt query perfectly. Test If the following conditions are satisfied (under the assumption that both PA and SA choose the same Test session), then PA queries its Test oracle. The Test oracle randomly chooses a bit, bTest , and depending on b00 , the Test oracle either returns the actual session key or a random key. PA then answers SA with the answer received from its Test oracle. Let bSA be the final output of SA and PA will output bSA as its own answer. PA succeeds and wins the game if SA does. – The Test sessions in both PA’s and SA’s simulations have accepted, and must be fresh. • Since PA is able to answer all Send, Session-Key Reveal, and Corrupt queries asked by SA as shown above, if the Test session in SA’s simulation has accepted, so does the same Test session in PA’s simulation. • Since PA faces the same restriction as SA of not able to reveal or corrupt an oracle or principal associated with the Test session, if the Test session in SA’s simulation is fresh, so is the same Test session in PA’s simulation.

R: subject to the following requirements: 1. non-partners in the simulation of SA are also non-partners in the simulation of PA so that whatever we can reveal in the simulation of SA, we can also reveal in the simulation of PA. Alternatively, we require that partners in the simulation of PA are also partners in the simulation of SA so that whatever we cannot reveal in the simulation of PA, we also cannot reveal in the simulation of SA. 2. a fresh oracle in the simulation of SA is also a fresh oracle the simulation of PA so that whatever we cannot reveal in the simulation of SA, we also cannot reveal in the simulation of PA. Fig. 3. Specification of simulation between the primary adversary and the secondary adversary

adversarial power, especially one that allows the adversary access to the entire internal state of a player (i.e., via the Corrupt query), has a tighter definition of security than the model with a weaker adversarial power.

Examining Indistinguishability-Based Proof Models A Choose some message mA Receive some message mB

595

B  m m  −−−−−−−→ . . . −−−−−A−−→ Receive some message mA  mB mB ←−−−− −−− . . . ←−−−− −−− Choose some message mB

Fig. 4. An example protocol execution

3.1.1 Proof for the Key Establishment Goal Let the advantage of some PPT adversary, A00 , in the BPR2000 (EA+KE) model be AdvA00 , and the advantage of some PPT adversary, A93 , in the BR93 (EA+KE) model be AdvA93 . Lemma 1. For any key establishment protocol, for any A00 , there exists an A93 , such that AdvA00 = AdvA93 . Proof (Lemma 1). An adversary A93 against the key establishment protocol in the BR93 (EA+KE) model is constructed using an adversary A00 against the same key establishment protocol in the BPR2000 (EA+KE) model, as shown in Figure 3. In other words, let A93 be the primary adversary and A00 be the secondary adversary where A93 simulates the view of A00 . A93 asks all queries by A00 to the respective Send oracles, Session-Key Reveal oracles, and Test oracle (to which A93 has access), and forwards the answers received from the oracles to A00 . Eventually, A00 outputs a guess bit b00 and A93 will output b00 as its own answer. A93 succeeds and wins the game if A00 does. In order to demonstrate that the primary adversary, A93 , is able to answer the queries asked by the secondary adversary, A00 , we need to satisfy requirements 1 and 2 described in Figure 3. Using the example protocol execution shown in Figure 4, B is said to have a matching conversation with A if, and only if, message mA received is the same message mA (i.e., mA = mA ) sent by A, and A is said to have matching conversation (in the BR93 model) with B if, and only if, message mB received is the same message mB (i.e., mB = mB ) sent by B. In the context of Figure 4, sidA = mA ||mB and sidB = mA ||mA (in the BPR2000 model), and sidA = sidB if message mA received by B is the same message mA (i.e., mA = mA ) sent by A, and message mB received by A is the same message mB (i.e., mB = mB ) sent by B. Hence, if both A and B have matching conversations, then sidA = mA ||mB = mA ||mA = sidB . If A and B are BR93-secure protocols, then A and B will also accept with the same session key. Recall that the BPR2000 definition of partnership requires two oracles to accept with the same SID, corresponding PID, and the same key, in order to be considered partners. Now, if A and B do not have matching conversations, then A and B are not BR93 partners. This also implies that A and B are not BPR2000 partners since sidA = sidB . Since non-partners in the simulation of the secondary adversary, A00 , are also non-partners in the simulation of the primary adversary, A93 , requirement 1 (described in Figure 3) is satisfied. An oracle is considered fresh in the BPR2000 model if it (or its associated partner, if such a partner exists) has not been asked a Reveal query and an ora-

596

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

cle is considered fresh in the BR93 model if it (or its associated partner, if such a partner exists) has not been asked either a Reveal or a Corrupt query. Hence, it follows easily that a fresh oracle in the BPR2000 model is also fresh in the BR93 model. Hence, both requirements 1 and 2 (described in Figure 3) are satisfied. To analyse AdvA93 , we first consider the case in which the Test oracle associated with A93 returns a random key. The probability of A00 guessing the correct b00 bit is 12 since it cannot gain any information about the hidden b93 bit. We then consider the case where the Test oracle associated with A93 returns the actual session key. In this case, the proof simulation (of A00 ) is perfect and A93 runs A00 exactly in the game defining the security of A00 . Therefore, if A00 has a non-negligible advantage, so does A93 (i.e., AdvA93 = AdvA00 ). This is in violation of our assumption and Lemma 1 follows.   3.1.2 Proof for the Entity Authentication Goal By inspection of Definitions 2 and 5, the definitions for entity authentication in both the BR93 and BPR2000 models are equivalent, whereby entity authentication is said to be violated if some fresh oracle terminates with no partner. Following from our earlier proofs in Section 3.1.1, we define A93 to simulate the view of A00 . In other words, A93 does anything that A00 does. Since nonpartners in the simulation of A00 are also non-partners in the simulation of A93 , therefore if A00 has a non-negligible probability in violating mutual authentication, so does A93 . This is in violation of our assumption and the proof for entity authentication follows. 3.2

Proving Implication Relation: CK2001 → BPR2000 (KE)

Recall that one of the key differences between the BPR2000 and the CK2001 models is that the Canetti–Krawczyk adversary is allowed to ask the additional Session-State Reveal and Corrupt queries, as shown in Table 2. Intuitively, the model with a greater adversarial power has a tighter definition of security than the model with a weaker adversarial power. To support our observation, let the advantage of some PPT adversary in the BPR2000 (KE) model be AdvA00KE , and the advantage of some PPT adversary in the CK2001 model be AdvA01 . Lemma 2. For any key establishment protocol and for any A00KE , there exists an A01 , such that AdvA00KE = AdvA01 . Proof. An adversary A01 against the security of a key establishment protocol in the CK2001 (UM) model is constructed using an adversary A01 against the security of the same key establishment protocol in the BPR2000 (EA+KE) model. The primary adversary, A01 , runs the secondary adversary, A00KE , and has access to its Send oracles, Session-State Reveal oracles, Session-Key Reveal oracles, Corrupt oracles, and Test oracle. Recall that we assume in Figure 1 that this relation holds if, and only if, SIDs for both the BPR2000 (KE) and CK2001 model are constructed in the

Examining Indistinguishability-Based Proof Models

597

same manner. If A and B are BPR2000 partners, then sidA = sidB and A and B will also be partners in the CK2001 model, since sidA = sidB implies that both A and B will have matching sessions. Hence, we can say that all CK2001 partners are also BPR2000 partners (under the assumption that SIDs for both the BPR2000 (KE) and CK2001 model are constructed in the same manner) and all partners of CK2001-secure protocols are also BPR2000 partners (recall that in CK2001 security, two partners within a secure protocol must accept the same session key). This implies requirement 1. An oracle is considered fresh in the BPR2000 model if it (or its associated partner, if such a partner exists) has not been asked a Reveal query and an oracle is considered fresh in the CK2001 model if it (or its associated partner, if such a partner exists) has not been asked either a Reveal or a Corrupt query. Hence, it follows easily that a fresh oracle in the BPR2000 model is also fresh in the CK2001 model. Hence, both requirements 1 and 2 (described in Figure 3) are satisfied. To analyse AdvA01 , we first consider the case in which the Test oracle associated with A01 returns a random key. The probability of A00KE guessing the correct b01 bit is 12 since it cannot gain any information about the hidden b01 bit. We then consider the case where the Test oracle associated with A01 returns the actual session key. In this case, the proof simulation (of A00KE ) is perfect and A01 runs A00KE exactly in the game defining the security of A00KE . Therefore, if A00KE has a non-negligible advantage, so does A01 (i.e., AdvA00KE = AdvA01 is also non negligible). In other words, if such an adversary, A00KE , exists, so does A01 . This is in violation of our assumption and Lemma 2 follows.   3.3

Proving Implication Relation: CK2001 → BR93 (KE)

This proof follows on from Section 3.2. Let the advantage of some PPT adversary in the BR93 (KE) model, A93KE , be AdvA93KE . Lemma 3. For any key establishment protocol and for any A93KE , there exists an A01 , such that AdvA93KE = AdvA01 . Proof. We construct an adversary A01 against the security of a key establishment protocol in the CK2001 model using an adversary A93KE against the security of the same key establishment protocol in the BR93 model. Since we assume that SIDs in the CK2001 model are defined to be the concatenation of messages exchanged during the protocol run (similar to how SIDs are defined in the proof that appears in Section 3.1), the discussion on the notion of partnership between the BPR2000 and BR93 models apply in the discussion on the notion of partnership between the CK2001 and BR93 models. Hence, we can say that all BR93 partners are also CK2001 partners and all CK2001 partners are also BR93 partners (under the assumption that SIDs in the CK2001 model are defined to be the concatenation of messages sent and received during the protocol execution). Therefore, A01 is able to simulate the view of A93KE . Note that since A93KE is not allowed to ask any Session-State Reveal in the BR93 model, A93KE will not be asking any such queries in the simulation.

598

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

To analyse AdvA01 , we first consider the case in which the Test oracle associated with A01 returns a random key. The probability of A93KE guessing the correct b01 bit is 12 since it cannot gain any information about the hidden b01 bit. We then consider the case where the Test oracle associated with A01 returns the actual session key. In this case, the proof simulation (of A93 ) is perfect and A01 runs A93KE exactly in the game defining the security of A93KE . Therefore, if A93KE has a non-negligible advantage, so does A01 (i.e., AdvA01 = AdvA93KE is also negligible), in violation of our assumption. Lemma 3 follows.   3.4

Proving Non-implication Relation: BR93 (KE) / CK2001  BPR2000 (KE)

As a counter-example, we revisit and use the improved (Bellare–Rogaway) threeparty key distribution (3PKD) protocol due to Choo et al. [15] which has a proof of security in the BPR2000 (KE) model. We then demonstrate that this protocol fails to satisfy the functional requirement. Consequently, the protocol is insecure in the BR93 (KE) and CK2001 models. Figure 5 desribes the CBHM-3PKD protocol, which was proven secure in the BPR2000 model. In the protocol, there are three entities, namely: a trusted server S and two principals A and B who wish to establish communication. Figure 6 depicts an example execution of the CBHM-3PKD protocol in the presence of a malicious adversary. At the end of the protocol execution, both uncorrupted prinicpals A and B have matching sessions according to Definition 8. However, they have accepted different session keys (i.e., A accepts session key SKAB and B accepts session key SKAB,2 ). This violates Definitions 2 and 9, which implies that the 3PKD protocol is not secure under the BR93 (KE) and the CK2001 models. However, according to Definition 4, both A and B are not BPR2000 partners since they do not agree on the same session key and hence, the protocol does not violate the BPR2000 security (i.e., Definition 5). 3.5

Proving Non-implication Relation: BR93 (KE)  CK2001

Canetti & Krawczyk prove the basic Diffie–Hellman protocol secure in the UM [12]. In order to prove BR93 (KE)  CK2001, we modified the (Canetti– Krawczyk) Diffie–Hellman protocol to include a redundant nonce NBA , as shown in Figure 7. The modified Diffie–Hellman protocol does not authenticate the redundant nonce NBA . Although NBA is not authenticated, addition of NBA does not affect the security of the protocol. 1. 2. 3a. 3b.

A −→ B : B −→ S : S −→ A : S −→ B :

RA RA , RB enc , [A, B, RA , RB , {SKAB }K enc ] M AC , RB {SKAB }KAS AS KAS enc , [A, B, RA , RB , {SKAB }K enc ] M AC {SKAB }KBS BS K BS

Fig. 5. Choo, Boyd, Hitchcock, & Maitland provably secure 3PKD protocol

Examining Indistinguishability-Based Proof Models

599

1. A −→ B : RA 2. B −→ S : RA , RB enc , [A, B, RA , RB , {SKAB }K enc ] M AC , RB 3a. S −→ A : {SKAB }KAS AS KAS enc , [A, B, RA , RB , {SKAB }K enc ] M AC 3b. S −→ B : {SKAB }KBS BS KBS enc , [A, B, RB , {SKAB }K enc ] M AC . A intercepts and deletes {SKAB }KBS BS KBS 2. AB −→ S : RA , RB enc , [A, B, RA , RB , {SKAB,2 }K enc ] M AC , RB 3a. S −→ A : {SKAB,2 }KAS AS KAS enc , [A, B, RA , {SKAB,2 }K enc ] M AC . A intercepts and deletes {SKAB,2 }KAS AS KAS enc , [A, B, RA , RB , {SKAB,2 }K enc ] M AC 3b. S −→ B : {SKAB,2 }KBS K BS BS

Fig. 6. Execution of CBHM-3PKD protocol in the presence of a malicious adversary

A

B A, sid, g x y ∈ Zq x ∈ Zq −−−−−−−→ B, sid, g y , SigdB (B, sid, g y , g x , A), NBA y, NBA ∈ Zq Verify Signature ←−−−−−−− A, sid, g y , SigdA (A, sid, g y , g x , B), NBA xy SKAB = g xy SKAB = g −−−−−−−→ Fig. 7. A modified (Canetti–Krawczyk) Diffie–Hellman protocol

A A A A, sid, g x A, sid, g x −−−−−−−→ −−−−−−−→ B, sid, g y , SigdB (B, sid, g y , g x , A), NBA B, sid, g y , SigdB (B, sid, g y , g x , A), NA AA ←−−−−−−− ←−−−−−−− A, sid, g y , SigdA (A, sid, g y , g x , B), NA A, sid, g y , SigdA (A, sid, g y , g x , B), NBA AB −−−−−−−→ −−−−−−−→ Fig. 8. Execution of the modified (Canetti–Krawczyk) Diffie–Hellman protocol in the presence of a malicious adversary

Figure 8 depicts an example execution of the (Canetti–Krawczyk) Diffie– Hellman protocol in the presence of a malicious adversary. Recall that we assume that the non-implication relation: BR93 (KE)  CK2001 holds if, and only if, SIDs in the CK2001 model are not defined to be concatenation of messages exchanged during the protocol run, as shown in Figure 1. Let AU denote A intercepting message and sending fabricating message impersonating U . At the end of the protocol execution, both A and B are partners according to Definition 8, since they have matching SIDs and corresponding PIDs (i.e., P IDA = B and P IDB = A). In addition, both uncorrupted A and B accept the same session key, SKAB = g xy = SKBA . The CK2001 definition of security is not violated (in the sense of Definition 9). However, both A and B did not receive all of each other’s messages (recall that messages in message round 2 and 3 are fabricated by A) and neither A’s nor B’s replies were all in response to genuine messages by B and A respectively. Hence, both A and B are not BR93 partners.

600

K.-K.R. Choo, C. Boyd, and Y. Hitchcock A (pwdA )

S (pwdA , pwdB )

B (pwdB )

x ∈R Zp , X = g x pwA,1 = G1 (pwdA ) X ∗ = X · pwA,1 A, B, X ∗ −−−−−−−→

r ∈R Zp R ∈R {0, 1}lR pwA,1 = G1 (pwdA )

y ∈R Zp , Y = g y pwB,1 = G1 (pwdB ) Y ∗ = Y · pwB,1 B, A, Y ∗ ←−−−−−−−

∗

pwB,1 = G1 (pwdB ) X = X ∗ /pwA,1 , Y = Y ∗ /pwB,1 X = Xr, Y = Y r pwA,2 = G2 (R, pwdA , X ∗ ) pwB,2 = G2 (R, pwdB , Y ∗ )

∗

∗ ∗ S, A, R, X ∗ , X S, B, R, Y ∗ , Y X = X · pwB,2 , Y = Y · pwA,2 ←−−−−−−− −−−−−−−→ pwB,2 = G2 (R, pwdB , Y ∗ ) pwA,2 = G2 (R, pwdA , X ∗ ) ∗ x ∗ x Y = Y /pwA,2 , K = Y = g xry X = X /pwB,2 , K = Y = g xry ∗ ∗ ∗ ∗ T = (R, X ∗ , Y ∗ , X , Y ) T = (R, X ∗ , Y ∗ , X , Y ) SKB = H(A, B, S, T, K) SKA = H(A, B, S, T, K)

Fig. 9. Abdalla–Pointcheval 3PAKE

Hence, A can obtain a fresh session key of either A or B by revealing non-partner instances of B or A respectively, in violation of BR93 security (Definition 2). 3.6

Discussion on Non-implication Relation: BPR2000 (KE)  BR95

Recall that security in the models depend on the notion of partnership. However, no explicit definition of partnership was provided in the BR95 model and there is no single partner function fixed for any protocol in the BR95 model. The flawed partner function for the 3PKD protocol described in the original BR95 paper was fixed by Choo et al. [15]. However, as Choo et al. has pointed out, there is no way to securely define a SID for the 3PKD protocol that will preserve the proof of security. Hence, protocols that are secure in the BR95 model may not necessarily be able to be proven secure in the BPR2000 (KE) model.

4 4.1

A Drawback in the Original Formulation of the BPR2000 Model Case Study: Abdalla–Pointcheval 3PAKE

We revisit the protocol 3PAKE due to Abdalla & Pointcheval [1], which carries a proof of security in the BPR2000 model, as shown in Figure 9. Let A and B be two clients who wish to establish a shared session key, SK, S be a trusted

Examining Indistinguishability-Based Proof Models A (pwdA )

A

S (pwdA , pwdB , pwdC )

A

601

B (pwdB )

A corrupt C and obtain all internal states of C, including pwdC B, A, Y ∗ A, B, X ∗ Intercept Intercept −−−−−−−→ ←−−−−−−− e ∈R Zp , E = g e s.t. underlying value E = 1 E ∗ = E · G1 (pwdC ) ∗ A, C, X C, A, E ∗ −−−−−−−→ ←−−−−−−− pwA,1 = G1 (pwdA ) pwC,1 = G1 (pwdC ) X = X ∗ /pwA,1 , E = E ∗ /pwC,1 X = Xr , E = Er pwA,2 = G2 (R, pwdA , X ∗ ) pwC,2 = G2 (R, pwdC , E ∗ ) ∗ ∗ X = X · pwC,2 , E = E · pwA,2 ∗ S, C, R, E ∗ , E Intercept ←−−−−−−− ∗ ∗ S, A, R, X ∗ , X S, B, R, E ∗ , E ←−−−−−−− −−−−−−−→ pwA,2 = G2 (R, pwdA , X ∗ ) pwC,2 = G2 (R, pwdC , E ∗ ) ∗ x ∗ x E = E /pwA,2 , K = E = g xre X = X /pwC,2 , K = E = g xre ∗ ∗ ∗ ∗ T = (R, X ∗ , E ∗ , X , E ) T = (R, X ∗ , E ∗ , X , E ) SKC = H(A, B, S, T, K) SKA = H(A, B, S, T, K) Fig. 10. Execution of 3PAKE in the presence of a malicious adversary

server, pwdA (and pwdB ) denote the password shared between A and S (B and S respectively), G1 , G2 , and H denote random oracles, and lr and lk denote security parameters. 4.2

New Attack on Abdalla–Pointcheval 3PAKE

Figure 10 describes an execution of 3PAKE in the presence of a malicious adversary, A. Let C be another client who has a shared password, pwdC , with the server, S. Prior to the start of the communication initiated by A, A corrupts a non-related player, C (i.e., static corruption), thereby learning all internal states of C (including the shared password with S, pwdC ). In the attack outlined in Figure 10, A intercepts the first message from A and changes the identity field in the message from A, B to A, C. A impersonates A and sends the fabricated message A, C, X ∗ to S. A impersonates C and sends another fabricated message C, A, E ∗ to S. S, upon receiving both messages, will respond as per protocol specification. At the end of the protocol execution, A believes that the session key, SKA = H(A, B, S, T, K), is being shared with B. However, B is still waiting for S’s reply, which will never arrive, since A has intercepted and deleted the message from the net-

602

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

work. However, A is able to compute the fresh session key of A, since A is able to decrypt and obtain K = g xre and SKA = H(A, B, S, T, K), since parameters A, B, S, and T (T is the transcript of the protocol execution) are public. Consequently, protocol 3PAKE is insecure. However, this attack1 cannot be detected in the existing BPR2000 model since Corrupt query is not allowed. Protocols proven secure in a proof model that allows the “Corrupt” query (in the proof simulation) ought to be secure against the unknown key share attack, since if a key is to be shared between some parties, U1 and U2 , the corruption of some other (non-related) player in the protocol, say U3 , should not expose the session key shared between U1 and U2 . In other words, protocol 3PAKE will be insecure in the BR93, BR95, and CK2001 models, since A is able to trivially expose a fresh session key (i.e., AdvA (k)is non-negligible) by corrupting a non-partner player.

5

Conclusion and Future Work

We examined the Bellare–Rogaway and Canetti–Krawczyk proof models. We analysed some non-intuitive gaps in the relations and the relative strengths of security between both models and their variants. We then provided a detailed comparison of the relative strengths of the notions of security between the Bellare–Rogaway and Canetti–Krawczyk proof models. We also revealed a drawback with the BPR2000 model and a previously unpublished flaw in the Abdalla–Pointcheval protocol 3PAKE [1]. However, such an attack would not be captured in the model due to the omission of Corrupt queries. Our studies concluded that (1) if the session identifier (SID) in the CK2001 model is defined to be the concatenation of messages exchanged during the protocol run, then CK2001 model offers the strongest definition of security compared to the Bellare–Rogaway model and its variants, and (2) the BPR2000 model is the weakest model. As a result of this work, we hope to have contributed towards a better understanding of the different flavours of proof models for key establishment protocols (whether protocols proven secure in one model are also secure in another model). While our studies focus only on the Bellare–Rogaway and Canetti– Krawczyk models, it would be interesting to extend our work to other computational complexity proof models (e.g., the proof model due to Shoup [18]) or other simulation-based proof models (e.g., the universal composability approach and the black-box simulatability approach due to Canetti et al. [11] and Backes et al. [3] respectively).

1

Informally, it appears that this attack can be avoided by including the identities of both A and B when computing pwA,2 and pwB,2 .

Examining Indistinguishability-Based Proof Models

603

References 1. M. Abdalla and D. Pointcheval. Interactive Diffie-Hellman Assumptions with Applications to Password-based Authentication (Extended version available from http://www.di.ens.fr/~ pointche/pub.php). In FC 2005, pages 341–356. Springer-Verlag, 2005. Vol. 3570/2005 of LNCS. 2. S. S. Al-Riyami and K. G. Paterson. Tripartite Authenticated Key Agreement Protocols from Pairings. In 9th IMA Conference on Cryptography and Coding, pages 332–359. Springer-Verlag, 2003. Vol. 2898/2003 of LNCS. 3. M. Backes, B. Pfitzmann, and M. Waidner. A General Composition Theorem for Secure Reactive Systems. In TCC 2004, pages 336–354. Springer-Verlag, 2004. Vol. 2951/2004 of LNCS. 4. M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to The Design and Analysis of Authentication and Key Exchange Protocols. In STOC 1998, pages 419–428. ACM Press, 1998. 5. M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. In Eurocrypt 2000, pages 139 – 155. Springer-Verlag, 2000. Vol. 1807/2000 of LNCS. 6. M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. In Crypto 1993, pages 110–125. Springer-Verlag, 1993. Vol. 773/1993 of LNCS. 7. M. Bellare and P. Rogaway. Provably Secure Session Key Distribution: The Three Party Case. In STOC 1995, pages 57–66. ACM Press, 1995. 8. S. Blake-Wilson, D. Johnson, and A. Menezes. Key Agreement Protocols and their Security Analysis. In 6th IMA International Conference on Cryptography and Coding, pages 30–45. Springer-Verlag, 1997. Vol. 1355/1997 of LNCS. 9. S. Blake-Wilson and A. Menezes. Security Proofs for Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques. In Security Protocols Workshop, pages 137–158. Springer-Verlag, 1997. Vol. 1361/1997 of LNCS. 10. C. Boyd, W. Mao, and K. Paterson. Key Agreement using Statically Keyed Authenticators. In ACNS 2004, pages 248–262. Springer-Verlag, 2004. Vol. 3089/2004 of LNCS. 11. R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Report 2000/067, 2000. http://eprint.iacr.org/2000/067/. 12. R. Canetti and H. Krawczyk. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels (Extended version available from http://eprint.iacr.org/2001/040/). In Eurocrypt 2001, pages 453–474. Springer-Verlag, 2001. Vol. 2045/2001 of LNCS. 13. L. Chen and C. Kudla. Identity Based Authenticated Key Agreement Protocols from Pairings (Corrected version at http://eprint.iacr.org/2002/184/). In CSFW 2003, pages 219–233. IEEE Computer Society Press, 2003. 14. K.-K. R. Choo, C. Boyd, and Y. Hitchcock. Examining IndistinguishabilityBased Proof Models for Key Establishment Protocols (Full version available from http://eprint.iacr.org/2005/270). In Bimal Roy, editor, (Accepted to appear in) Asiacrypt 2005. Springer-Verlag, 2005. LNCS. 15. K.-K. R. Choo, C. Boyd, Y. Hitchcock, and G. Maitland. On Session Identifiers in Provably Secure Protocols: The Bellare-Rogaway ThreeParty Key Distribution Protocol Revisited (Extended version available from http://eprint.iacr.org/2004/345). In SCN 2004, pages 352–367. SpringerVerlag, 2004. Vol. 3352/2005 of LNCS.

604

K.-K.R. Choo, C. Boyd, and Y. Hitchcock

16. P. D. MacKenzie and R. Swaminathan. Secure Network Authentication with Password Identification. Submitted to the IEEE P1363 Working Group, 1999. 17. N. McCullagh and P. S. L. M. Barreto. A New Two-Party IdentityBased Authenticated Key Agreement (Extended version available from http://eprint.iacr.org/2004/122/). In CT-RSA 2005, pages 262–274. SpringerVerlag, 2005. Vol. 3376/2005 of LNCS. 18. V. Shoup. On Formal Models for Secure Key Exchange (Version 4). Technical Report RZ 3120 (#93166), IBM Research, Zurich, 1999. 19. D. S. Wong and A. H. Chan. Efficient and Mutually Authenticated Key Exchange for Low Power Computing Devices. In Asiacrypt 2001, pages 172–289. SpringerVerlag, 2001. Vol. 2248/2001 of LNCS.